Facebook CEO Mark Zuckerberg recently published an op-ed in the Washington Post naming a role for government and regulation around four specific policies that continue to be concerns for users of Facebook and broader digital platforms. In two areas (privacy and political advertising) Zuckerberg reiterates Facebook’s agreement with previous legislative proposals, including parts of the General Data Protection Regulation (GDPR) in the European Union and (although not named) concepts from the Honest Ads Act introduced by Senators Amy Klobuchar, Mark Warner, and the late John McCain. In addition to these two topics, Zuckerberg also moves towards responding to calls from the public interest community for stronger content moderation of hateful content and for meaningful data portability to promote competition in a market that trends towards dominant platforms. While some may view yet another Facebook op-ed cynically, I believe this one should be welcomed.
Last week, thanks to investigative reporting, we learned that Facebook discovered in January that it was storing millions of users’ passwords in plain text format, making them fully readable for thousands of its employees. Facebook has acknowledged that this was a serious security error and privacy breach on its side, as its systems, ideally, “are designed to mask passwords using techniques that make them unreadable”, and promised that it “will be notifying everyone whose passwords we have found were stored in this way.” There is no evidence that any of the thousand employees with access to these unencrypted passwords actually accessed them, but Facebook’s decision to remain mum reveals an important lesson for the overarching privacy and security policy debate. Importantly, data security incidents are a widespread problem that goes well beyond Facebook.
According to reports, the Federal Trade Commission plans to open a study into the technology industry’s data practices. Called a “6(b)” study, this type of study enables the agency to broadly review an industry practice and allows the agency to compel information from witnesses. Public Knowledge previously urged the FTC to conduct such a study and commends the move to shine a light on the competitive impacts of these data practices.
Over the last three months, Motherboard’s Joseph Cox has produced an excellent series of articles on how the major mobile carriers have sold sensitive geolocation data to bounty hunters and others, including highly precise information designed for use with “Enhance 911” (E911). As we pointed out last month when this news came to light, turning over this E911 data (called assisted GPS or A-GPS), exposing E911 data to third parties -- whether by accident or intentionally, or using it in any way except for 911 or other purposes required by law violates the rules the Federal Communications Commission adopted in 2015 to protect E911 data.
This week featured back-to-back privacy hearings on Capitol Hill to discuss principles for federal privacy legislation. With the one-year anniversary of the European Union’s General Data Protection Regulation implementation coming in May and the California Consumer Privacy Act taking effect in 2020, industry players that have fiercely lobbied against federal privacy legislation in years past are now suddenly calling on Congress to pass a comprehensive privacy bill this year. Here’s a quick look at what happened in each hearing and a few key takeaways.